HackerOne rewards bughunter who found critical security hole in… HackerOne

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

HackerOne rewards bughunter who found critical security hole in... HackerOne

Vulnerability-reporting platform HackerOne has come clean about a critical security flaw on its own website that could be used to expose the email addresses of users.

A researcher going by the name of “msdian7” revealed how an attacker could exploit the site’s project invite feature to uncover the email addresses of other users as detailed on the site itself:

“HackerOne has an invitation system that allows program owners to send invitations to users for various purposes, such as invitations to hack on private programs, claim bounties, be added to programs, among others. The invitation system allows users to be invited by email or by username. If a user is invited by their username, the sender is not permitted to view the email address the invitation is sent to for user privacy. This rule has been guarded by HackerOne’s Access Control Lists (ACLs) in HackerOne’s Representational state transfer (REST) framework, but HackerOne has been migrating these objects to GraphQL under a new protection layer. When exposing a new invitation object, the ACL rule previously applied wasn’t implemented correctly to the new GraphQL protection layer.”

Sign up to our free newsletter.
Security news, advice, and tips.

To HackerOne’s credit, the issue was resolved within three hours of msdian7 reporting the issue to them.

That’s an impressive response by HackerOne.

And that’s the important thing. I think we can all accept that any complicated website might have vulnerabilities and flaws from time-to-time. What matters most is that they are identified promptly and then resolved as quickly as possible, reducing the window of opportunity for malicious exploitation.

Msdian7 has been awarded a $8,500 bounty for their trouble.

A researcher using the handle msdian7 was given an $8,500 payout for discovering and reporting how an attacker could game the project invite feature on the site to view the hidden email addresses of other users. The flaw was traced back to a missing access control rule in HackerOne’s new GraphQL system.

In December a different security researcher received $20,000 from HackerOne after they discovered a way to access other users’ bug reports on the website.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.